Authorising users for access to a service

Helmholtz ID allows multiple ways to manage authorisation of users and user groups, as well as various ways of transmitting these information to services.

Warning

All these methods can be combined, which can easily result in highly complex or even chaotic authorisation schemas if not planned well beforehand. If service provider plan to establish a non-trivial authorisation schema to heterogeneous user groups, please check the following methods carefully, and, if in doubt, contact us to discuss optimal ways of implementation.

Project-specific user groups

Users can be organised in hierarchical (tree-topology) groups - dubbed “Virtual Organisation (VO)”. VOs allow to provide services fine-grained information on entitlements of users, as well as distributing the work load of user management to multiple sub-group managers, if needed.

• How to register a virtual organisation (VO)
• How to manage users in VOs (and sub-VOs)
• Examples and practices on how to implement complex role management with VOs

The information is transmitted via group claims. This and the already registered VOs are listed here.

Organisation-specific user groups

Organisation-specific groups (VOs) are currently supported for all Helmholtz Centres and Helmholtz as whole. This allows to identify a user automatically as a member of a supported organisation, if the respective organisation’s IdP provides sufficient information. The list of currently supported organisations can be found here. For example, any employee of a Helmholtz organisation can be identified via the claim urn:geant:helmholtz.de:group:Helmholtz-member.

Organisation-hierarchy user groups

Organisation-hierarchy groups (VOs) are currently supported by some Helmholtz Centres. This allows to identify a user automatically as a member of a supported unity within the organisation, if the respective organisation’s IdP provides sufficient information. The list of currently supported organisations can be found here.

Resource capabilities

If the user is not member of a specific VO but is allowed to use a service, this is provided in information on entitlements of users. In most cases, the entitlement value is defined by the service, expressed by the user’s organisation and forwarded by Helmholtz ID.

Assurance

IdPs can provide elevated assurance on the identity of the logged-in user, for example stating that a photo ID has been checked and/or that multi factor authentication is employed. This is expressed by the user’s organisation and forwarded within Helmholtz ID as assurance in corresponding claims as described here. If the organisation provides only the assurance information but not the fulfilled profiles, Helmholtz ID adds the profile information. These information can not set for all social IdPs, since not all give guarantees for uniqueness and refresh intervals of the user information.

Need help?

Contact us if you need help.